[3986] in WWW Security List Archive
Re: RE: Javascript and Security
daemon@ATHENA.MIT.EDU (BVE)
Wed Jan 15 13:26:02 1997
Date: Wed, 15 Jan 97 10:39:02 EST
From: bve@omsk.quadrix.com (BVE)
To: hallam@ai.mit.edu
In-Reply-To: <01BC0205.63CD6B30@crecy.ai.mit.edu> (hallam@ai.mit.edu)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
When they access a site that uses Java, _and_ they have some reasonable
level of assurance that it is not compromised, they can then enable
Java(script) for use on that site. I know this is cumbersome, and
It's not just cumbersome (I can live with it), but most users won't remember,
or won't bother to, keep toggling it on and off. Unfortunately, the user's
tendency is to do what's easiest, unless they've directly experienced the
down-side. (And even then, they may not do the right thing!)
It is a great pity that the Java developers chose to ignore the
HTTP protocol spec and give Java the content type application/binary
rather than state it as application/Java as it should be. As a
result there is no mechanism whereby a firewall manager can prevent
Java from being carried across a firewall without preventing all
application/binary types.
While I agree that they screwed up on the MIME type choice, you still can strip
java out, because of the way it's used. A number of today's firewalls have
functions for stripping out Java, JavaScript, VBScript, and ActiveX. They're
based on filtering the <applet> and <embed> tags out of the HTML stream.
Terrible method, I know, but it does work....
-- Bill Van Emburg
Phone: 908-235-2335 Quadrix Solutions, Inc.
Fax: 908-235-2336 (bve@quadrix.com)
Check out http://yourtown.com! (http://quadrix.com)
"You do what you want, and if you didn't, you don't"
